[whatwg] Dealing with UI redress vulnerabilities inherent to the current web
Boris Zbarsky
bzbarsky at MIT.EDU
Wed Feb 18 07:27:47 PST 2009
On Thu, 25 Sep 2008, Michal Zalewski wrote:
> 1) Create a HTTP-level (or HTTP-EQUIV) mechanism along the lines of
> "X-I-Do-Not-Want-To-Be-Framed-Across-Domains: yes" that permits a web
> page to inhibit frame rendering in potentially dangerous situations.
>
> Pros:
>
> - Super-simple
>
> Cons:
>
> - "Opt-in", i.e. currently vulnerable sites remain vulnerable unless
> action is taken
Right. And really no different from:
<script>
if (window != window.top)
window.top.location.href = window.location.href;
</script>
in effect, right? This last already works in all browsers except IE,
which is presumably why IE felt the need to add another way to do it.
There _is_ an issue here if script is disabled, of course. In that
case, are there still situations where the parent frame can effectively
mislead the user?
> 2) Add a document-level mechanism to make "if nested <show this> else
> <show that>" conditionals possible without Javascript. One proposal is
> to do this on the level of CSS (by using either the media-dependency
> features of CSS or special classes); another is to introduce new HTML
> tags. This would make it possible for pages to defend themselves even
> in environments where Javascript is disabled or limited.
Right, addressing the concern above. The pro is that it ties
information directly to the document. The con is that it's harder to
deploy site-wide.... Is that a concern?
-Boris
More information about the whatwg
mailing list